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(54) Image data authentication system 

(57) Image data verification system that reliably de- 
termines whether image data generated by an image 
generation device such as a digital camera is altered or 
not without a significant increase of the computational 
capacity of the image generation device. The image 
generation device provides a hash of the image data 



(optionally, a keyed hash, or an encrypted hash of the 
data) to a separate verification data converting device, 
which appends a digital signature (using a private key 
KS). There is also provided an image verification device 
which verifies the digital signature (using the public key 
KP corresponding to KS). 
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Description 

BACKGROUND OF THE INVENTION 
Field of the Invention 

[0001 ] The present invention relates to an image data 
verification system for detecting an alteration in image 
data generated by an image generation device such as 
a digital camera. 

Related Background Art 

[0002] In recent years, digital cameras for storing an 
optical image of a subject by digitizing the optical image 
have commercially practical. 
[0003] Although image data obtained by a digital cam- 
era can be easily imported to a personal computer, it 
also can be easily altered in the personal computer. 
Consequently, there is a problem that image data ob- 
tained by a digital camera is inferior to that of a film photo 
in reliability, and therefore, in admissibility of evidence. 
In view of such a circumstance, a digital camera system 
with a function of adding a digital signature to the image 
data obtained by the digital camera has been proposed 
in recent years. Conventional digital camera systems 
with a digital signature function are disclosed in U.S. 
Patent No. 5,499,294, Japanese Patent Application 
Lald-Open No. 9-200730 and so on. 
[0004] In order to generate a digital signature, the 
public key cryptography as the RSA encryption is typi- 
cally used. However, the public key cryptography sys- 
tem such as the RSA encryption, which requires expo- 
nentiation and remainder calculation, can hardly realize 
a high speed processing, and requires a processing 
time hundreds or thousands times longer than that of 
the common key cryptography such as the DES, There- 
fore, there is a problem that it is quite difficult with the 
restricted calculation resource of the conventional dig- 
ital camera to generate a digital signature. While there 
may be contemplated a method for allowing the digital 
signature to be generated easily by enhancing signifi- 
cantly the performance of the calculation resource of the 
conventional digital camera, this method is not preferred 
because the cost of the digital camera itself is signifi- 
cantly increased. 

SUMMARY OF THE INVENTION 

[0005] A concern of the present invention is to solve 
the above-described problems, 
[0006] Furthermore, the present invention aims to 
provide an image data verification system that prevents 
the cost of an image generation device such as a digital 
camera from being increased and can reliably deter- 
mine whether image data obtained by the image gener- 
ation device is altered or not. 
[0007] An image data verification system according to 



one preferred embodiment of the present invention is 
an image data verification system having an image gen- 
eration device and afirst verification data generation de- 
vice, characterized in that 
5 the image generation device includes: 

image data generation means for generating image 
data; and 

first verification data generation means for generat- 
'o ing first verification data for the image data using 
first information, and 

the verification data generation device includes: 

verification means for verifying whether the im- 
15 age data is altered or not by using the image 

data, the first verification data, and the first in- 
formation; and 

second verification data generation means for, 
if the image data is not altered, generating sec- 
20 ond verification dataforthe image data by using 

second information. 

[0008] Still other features of the present invention, 
and the advantages thereof, will become fully apparent 
25 from the following detailed description of the embodi- 
ments. 

BRIEF DESCRIPTION OF THE DRAWINGS 



30 [0009] 

Fig. 1 is a block diagram showing an essential con- 
figuration of an image generation device 1 0 accord- 
ing to a first embodiment; 
35 Fig. 2 is a block diagram showing an essential con- 
figuration of a verification data converting device 20 
according to the first embodiment; 
Fig. 3 is a block diagram showing an essential con- 
figuration of an image verification device 30 accord- 
ed ing to the first embodiment; 

Fig. 4 is a diagram for illustrating a processing pro- 
cedure of an image data verification system accord- 
ing to the first embodiment; 
Figs. 5A and SB are diagrams for illustrating a meth- 
45 od for generating primary verification data; 

Fig. 6 is a diagram for illustrating an example of a 
simple calculation; 

Figs. 7A and 7B show examples of each of tables 
T1 andT2; 

so Fig. 8 is a diagram for illustrating a method for gen- 
erating secondary verification data (that is, digital 
signature); 

Fig. 9 is a flowchart showing a processing proce- 
dure of the image generation device 10 according 
55 to the first embodiment; 

Fig. 10 is a flowchart showing a processing proce- 
dure of the verification data converting device 20 
according to the first embodiment; 



2 



3 



EP 1 209 847 A1 



4 



Fig. 11 is a flowchart showing a processing proce- 
dure of the image verification device 30 according 
to the first embodiment; 

Fig. 12 is a diagram showing an example of a con- 
figuration of an image data verification system ac- 5 
cording to the first embodiment; 
Fig. 13 is a diagram showing an example of a con- 
figuration of an image data verification system ac- 
cording to a second embodiment; 
Fig. 1 4 is a block diagram showing an essential con- 
figuration of a first verification data converting de- 
vice 20A according to the second embodiment; 
Fig. 1 5 is a block diagram showing an essential con- 
figuration of a second verification data converting 
device 20B according to the second embodiment; 
Fig. 1 6 is a diagram for illustrating a processing pro- 
cedure of the image data verification system ac- 
cording to the second embodiment; 
Fig. 1 7 is a flowchart showing a processing proce- 
dure of the verification data converting device 20A 
according to the second embodiment; and 
Fig. 18 is a flowchart showing a processing proce- 
dure of the verification data converting device 20B 
according to the second embodiment. 

DETAILED DESCRIPTION OFTHE PREFERRED 
EMBODIMENTS 

(First embodiment) 

[0010] Now, a preferred first embodiment of the 
present invention will be described with reference to the 
drawings. 

[0011] First, Fig, 12 is a diagram showing an example 
of a configuration of an image data verification system 
according to the first embodiment. 
[0012] Reference numeral 10 denotes an image gen- 
eration device that generates image data of a subject 
and primary verification data for verifying integrity of the 
image data, thereby generating an image file with pri- 
mary verification data. Here, the image generation de- 
vice 1 0 may be an image pickup device such as a digital 
camera, digital camcorder, or scanner, or may be elec- 
tronic equipment with afunction of obtaining image data 
of a subject. 

[0013] Reference numeral 20 denotes a verification 
data converting device that verifies the integrity of the 
image data in the image file with primary verification da- 
ta to determine whetherthe image data is altered or not. 
If the integrity of the image data is confirmed (that is, if 
the image data is not altered), the verification data con- 
verting device 20 generates secondary verification data 
(that is, digital signature) for verifying the integrity and 
validity of the image data and converts the image file 
with primary verification data into the image file with sec- 
ondary verification data. Here, the verification data con- 
verting device 20 is a computer such as a personal com- 
puter. 



[0014] Reference numeral 30 denotes an image ver- 
ification device that verifies the integrity of the image da- 
ta in the image file with secondary verification data and 
determines whetherthe image data of the file is altered 
or not. Here, the image verification device 30 is a server 
computer having the verification data converting device 
20 as a client. 

[0015] The medium connecting the image generation 
device 10 and verification data converting device 20 
may be a transmission medium such as a LAN, 
IEEE1 394-1 995, or USB (Universal Serial Bus), or a re- 
movable medium (removable storage medium) such as 
a memory card. The medium connecting the verification 
data converting device 20 and image verification device 
30 may be a public network such as the Internet, or a 
removable medium (removable storage medium) such 
as a memory card. 

[0016] Next, a configuration of the image generation 
device 1 0 according to the first embodiment will be de- 
scribed. Fig. 1 is a block diagram showing an essential 
configuration of the image generation device 10 accord- 
ing to the first embodiment. In this drawing, each of the 
blocks represents a component having a specific func- 
tion. 

[0017] Reference numeral 11 denotes a control / cal- 
culation unit with a working memory and microcomputer. 
Reference numeral 14 denotes an image pickup unit in- 
cluding an optical sensor such as a charge coupled de- 
vice (CCD). Reference numeral 15 denotes a save 
memory for storing the image file with primary verifica- 
tion data. Reference numeral 16 denotes an interface 
unit that transmits the image file with the primary verifi- 
cation data to the verification data converting device 20. 
Reference numeral 1 7 denotes a program memory. The 
program memory 17 stores a program for controlling a 
function of generating the image file with primary verifi- 
cation data. Besides, the program memory 17 stores 
common information Kc needed for generation of the 
primary verification data, which is equivalent to an en- 
cryption key of a common key cryptography, and a spe- 
cific ID of the image generation device 10, which may 
be an identifier that allows the image generation device 
10 to be uniquely identified, for example, a serial 
number. The program memory 17 may be a ROM or 
EEPROM. The information stored in the program mem- 
ory 17, however, should be kept in confidence and pre- 
vented from being revealed. Reference numeral 18 de- 
notes an operation unit that accepts various kinds of in- 
structions (for example, start of shooting) from a user. 
[0018] Next, a configuration of the verification data 
converting device 20 according to the first embodiment 
will be described. Fig. 2 is a block diagram showing an 
essential configuration of the verification data convert- 
ing device 20 according to the first embodiment. In this 
drawing, each of the blocks represents a component 
having a specific function. 

[0019] Reference numeral 21 denotes a control / cal- 
culation unit with a working memory and microcomputer. 
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Reference numeral 24 denotes an interface unit A that 
receives the image file with primary verification data 
from the image generation device 10. Reference numer- 
al 28 denotes an interface unit B that transmits the im- 
age file with the secondary verification data to the image 
verification device 30. Reference numeral 25 denotes a 
save memory for storing the image file with primary ver- 
ification data and image file with secondary verification 
data. Reference numeral 26 denotes a program mem- 
ory. The program memory 26 stores a program for con- 
trolling a function of verifying the integrity of the image 
file with primary verification data and a function of gen- 
erating the image file with secondary verification data. 
Besides, the program memory 26 stores a table T1 in- 
cluding specific IDs of a plurality of image generation 
devices, a plurality of pieces of common information Kc 
corresponding to the respective specific IDs, each of 
which is equivalent to the decode key of the common 
key cryptography, and a plurality of pieces of secret in- 
formation Ks corresponding to the respective IDs, each 
of which is equivalent to the secret key of the public key 
cryptography. An example of the table T1 is shown in 
Fig. 7A. The program memory 26 may be a ROM or 
EEPROM. The information stored in the program mem- 
ory 26, however, should be kept in confidence and pre- 
vented from being revealed, Reference numeral 27 de- 
notes an operation unit that accepts various kinds of in- 
structions from a user. Reference numeral 22 denotes 
an output unit that outputs a message showing whether 
or not the image file with secondary verification data is 
altered to an external device such as a display unit or 
printer. 

[0020] Next, a configuration of the image verification 
device 30 according to the first embodiment will be de- 
scribed. Fig. 3 is a block diagram showing an essential 
configuration of the image verification device 30 accord- 
ing to the first embodiment. In this drawing, each of the 
blocks represents a component having a specific func- 
tion. 

[0021] Reference numeral 31 denotes a control / cal- 
culation unit with a working memory and microcomputer. 
Reference numeral 34 denotes an interface unit that re- 
ceives the image file with secondary verification data 
and public information Kp needed for verification of the 
integrity of the image file with the secondary verification 
data. Reference numeral 36 denotes a program mem- 
ory. The program memory 36 stores a program for con- 
trolling a function of verifying the integrity of the image 
file with secondary verification. Besides, the program 
memory 36 stores a table T2 Including specific IDs of a 
plurality of image generation devices and a plurality of 
pieces of public information Kp corresponding to the re- 
spective IDs, each of which is equivalent to the public 
key of the public key cryptography. An example of the 
table T2 is shown in Fig. 7B. The program memory 36 
may be a ROM or EEPROM. Reference numeral 37 de- 
notes an operation unit that accepts various kinds of in- 
structions from a user. Reference numeral 32 denotes 



an output unit that outputs a message showing whether 
or not the image file with secondary verification data is 
altered to an external device such as a display unit or 
printer. Reference numeral 35 denotes a save memory 
5 for storing the image file with secondary verification da- 
ta. The save memory 35 serves also as a database hav- 
ing registered therein information including the pres- 
ence of an alteration, location of the public information, 
specific ID information of the verification data converting 
w device 20, registration date, and verification date. 
[0022] Next, a processing procedure of the image da- 
ta verification system according to the first embodiment 
will be described. Fig. 4 is a diagram for illustrating the 
processing procedure of the image data verification sys- 
'5 tern according to the first embodiment; 

[0023] Step S401: The image generation device 10 
generates image data of a subject according to the 
shooting instruction from a user, and creates an image 
file in accordance with a predetermined image file for- 
20 mat from the generated image data. In this process, the 
image data is compressed and coded in a compression 
coding method in accordance with the predetermined 
file format. The predetermined file format may be JFIF 
(JPEG File Interchange Format), TIFF (Tagged Image 
25 File Format), GIF (Graphics Interchange Format), ex- 
tended format thereof, or other image file format. 
[0024] Step S402: the image generation device 10 
generates primary verification data forthe generated im- 
age data from the image data and shared information 
30 Kc. 

[0025] Now, with reference to Figs. 5Aand5B, an ex- 
ample of a method for generating the primary verifica- 
tion data will be described. The method for generating 
the primary verification data should not be disclosed to 
35 the public for security of the primary verification data and 
should be kept in confidence within the image genera- 
tion device 10 and verification data converting device 
20. 

[0026] Fig. 5A is a diagram for illustrating a first meth- 
40 od for generating the primary verification data. The first 
method shown in Fig. 5A is implemented according to 
the following sub-steps (a1) to (a3). Here, the method 
shown in Fig. 5A is implemented by the control / calcu- 
lation unit 1 1 of the image generation device 1 0 and con- 
45 trol / calculation unit 21 of the verification data convert- 
ing device 20. 

(a1) First, a simple calculation is performed to en- 
crypt the image data with the shared information Kc. 
so An example of the simple calculation is shown in 
Fig. 6. As shown in Fig. 6, in the first embodiment, 
the image data is encrypted by performing the ex- 
clusive O R calculation on the part of the image data 
(for example, most significant byte) and shared in- 
55 formation Kc (for example, "11111111"). The simple 
calculation may be replaced with another calcula- 
tion algorithm so far as it can be performed in a short 
time with the restricted calculation resource of the 
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image generation device 10. 
(a2) Then, the data obtained in the sub-step (a1) is 
converted into digest data (hash data) by a hash 
function H1. The hash function H1 may be MD-2, 
MD-4, MD-5, SHA-1, RIPEMD-128, RIPEMD-160, 
or other hash functions. 

(a3) Finally, the digest data obtained in the sub-step 
(a2) is regarded as the primary verification data. 

[0027] Fig. 5B is a diagram for illustrating a second 
method for generating the primary verification data. The 
second method shown in Fig. 5B is implemented ac- 
cording to the following sub-steps (b1 ) to (b3). Here, the 
second method shown in Fig. 5A is implemented by the 
control / calculation unit 11 of the image generation de- 
vice 1 0 and control /calculation unit 21 of the verification 
data converting device 20. 

(b1) First, the image data is converted into digest 
data (hash data) by the hash function H1 . The hash 
function H1 may be MD-2, MD-4, MD-5, SHA-1, 
RIPEMD-128, RIPEMD-160, or other hash func- 
tions. 

(b2) Then, the digest data is encrypted with the 
shared information Kc according to a predeter- 
mined common key cryptography. The predeter- 
mined common key cryptography may be DES, 
Rinjdael, or other common key cryptographies. 
(b3) Finally, the digest data encrypted with the 
shared information Kc is regarded as the primary 
verification data. 

[0028] Step S403: The image generation device 10 
adds the generated primary verification data to the 
header portion of the image file to create the image file 
with primary verification data. In addition to the primary 
verification data, the image generation device 10 adds 
the specific ID information of the image generation de- 
vice 10 to the header portion of the image file. 
[0029] Step S404: The image generation device 10 
transmits the image file with primary verification data to 
the verification data converting device 20. 
[0030] Step S405: Upon receiving the image file with 
primary verification data, the verification data converting 
device 20 extracts the primary verification data and spe- 
cific ID of the image generation device 1 0 from the head- 
er portion of the file and the image data from the data 
portion of the file. Furthermore, the verification data con- 
verting device 20 detects the shared information Kc and 
secret information Ks corresponding to the extracted 
specific ID by referring to the table T1 in the program 
memory 26. In the case where the specific ID of the im- 
age generation device is "001 ", for example, the shared 
information Kc corresponding to the specific ID is 
"0x1111", and the secret information Ks corresponding 
to the specific ID is "0x2222". The verification data con- 
verting device 20 generates the primary verification data 
for the extracted image data from the image data and 



detected shared information Kc. Here, the verification 
data converting device 20 generates the primary verifi- 
cation data in the same manner as the image generation 
device 10. 

5 [0031] Step S406: The verification data converting 
device 20 compares the primary verification data ex- 
tracted from the image file with primary verification data 
(that is, primary verification data generated in the image 
generation device 1 0) with the primary verification data 
'0 generated in step S405 (that is, primary verification data 
generated in the verification data converting device 20) 
to verify the integrity of the image data in the image file 
with primary verification data. If the image data is not 
altered from the transmission by the image generation 
is device 10 until the reception by the verification data con- 
verting device 20, the two pieces of primary verification 
data coincide with each other. At this case, the verifica- 
tion data converting device 20 can reliably confirm that 
the image data is the image data that is generated in the 
20 image generation device 1 0 and that it is secure data 
which has not been altered. Further, in such a case, the 
verification data converting device 20 determines that 
the image data is not altered and begins to generate the 
secondary verification data for the image data. On the 
25 other hand, if the image data is altered from the trans- 
mission by the image generation device 10 until the re- 
ception by the verification data converting device 20, the 
two pieces of primary verification data don't coincide 
with each other. In such a case, the verification data con- 
30 verting device 20 determines that the image data is al- 
tered and informs a user (who takes a picture) via a mes- 
sage that the image data is altered. In such a case, fur- 
thermore, the verification data converting device 20 in- 
hibits generation of the secondary verification data for 
3s the image data. 

[0032] Step S407: In the case where it is determined 
that the image data is not altered, the verification data 
converting device 20 generates the secondary verifica- 
tion data (that is, digital signature) from the image data 
•to in the image file with primary verification data. 

[0033] Now, with reference to Fig. 8, a method for gen- 
erating the secondary verification data will be described. 
The method illustrated in Fig. 8 is implemented accord- 
ing to the following sub-steps (1) to (3). Here, the metri- 
cs od illustrated in Fig, 8 is implemented by the control / 
calculation unit 21 of the verification data converting de- 
vice 20 and control / calculation unit 31 of the image 
verification device 30. 

so (1 ) First, the image data is converted into digest da- 
ta (hash data) by a hash function H2. The hash func- 
tion H2 may be any one of MD-2, MD-4, MD-5, SHA- 
1, RIPEMD-128, RIPEMD-160, or other hash func- 
tions. 

55 (2) Then, the digest data is encrypted with the se- 
cret information Ks according to a predetermined 
public key cryptography. The predetermined public 
key cryptography may be RSA encryption or other 
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public key cryptographies. 
(3) Finally, the digest data encrypted with the secret 
information Ks is regarded as the secondary verifi- 
cation data (that is, digital signature). 

[0034] Step S408: The verification data converting 
device 20 replaces the primary verification data in the 
header portion of the image file with the secondary ver- 
ification data to create the image file with secondary ver- 
ification data. The created image file with secondary ver- 
ification data is output to a public network such as the 
Internet, or a removable medium (removable storage 
medium) such as a memory card. The image verification 
device 30 receives the image file with secondary verifi- 
cation data from the public network such as the Internet, 
or a removable medium (removable storage medium) 
such as a memory card, 

[0035] Step S409: Upon receiving the image file with 
secondary verification data, the image verification de- 
vice 30 extracts the secondary verification data and spe- 
cific ID of the image generation device 1 0 from the head- 
er portion of the file. Furthermore, the image verification 
device 30 detects the public information Kp correspond- 
ing to the extracted specific ID by referring to the table 
T2 in the program memory 36. In the case where the 
specific ID of the image generation device 10 is "001", 
for example, the public information Kp corresponding to 
the specific ID is "0x1111", and the secret information 
Ks corresponding to the specific ID is "0x3333". The 
public information Kp may be obtained from a predeter- 
mined server. The image verification device 30 decodes 
the extracted secondary verification data with the public 
information Kp to restore the digest data (hash value). 
Here, the public information Kp corresponds to the se- 
cret information Ks kept in confidence by the verification 
data converting device 20 and is disclosedto the public. 
[0036] Step S410: In addition, the image verification 
device 30 extracts the image data from the data portion 
of the image file with secondary verification data. 
The image verification device 30 converts the extracted 
image data into digest data (hash value) by the hash 
function H2. This hash function H2 is the same as the 
hash function H2 used in the verification data converting 
device 20. 

[0037] Step S411: The image verification device 30 
compares the digest data restored in step S409 with the 
digest data obtained in step S410 to verify the integrity 
and validity of the image data in the image file with sec- 
ondary verification data. If the image data is not altered 
from the transmission by the verification data converting 
device 20 until the reception by the image verification 
device 30, the two pieces of digest data coincide with 
each other. In this case, the image verification device 
30 can reliably confirm that the image data is the image 
data that is generated in the image generation device 
1 0, and that the secondary verification data of the image 
data has be added by the primary verification device 20. 
Further, in such a case, the image verification device 30 



determines that the image data is not altered and in- 
forms a user (verifier) of the determination result. On the 
other hand, if the image data is altered from the trans- 
mission by the verification data converting device 20 un- 

5 til the reception by the image verification device 30, the 
two pieces of digest data don't coincide with each other. 
In such a case, the image verification device 30 deter- 
mines thatthe image data is altered and informs the user 
(verifier) of the determination result. 

10 [0038] Step S41 2: Each time an alteration in the im- 
age file with secondary verification data is checked for, 
the image verification device 30 registers the informa- 
tion including the file name of the image file, registration 
date of the image file, verification date of the image file, 

'5 presence or absence of an alteration, location of the 
public information Kp, specific ID information of the ver- 
ification data converting device 20 into a database in the 
save memory 35. The registration of such information 
into the save memory allows the verifier to manage the 

20 verified image file with secondary verification data to be 
accomplished. 

[0039] As described above, with the image data veri- 
fication system according to the first embodiment, it is 
possible to reliably determine whether the image data 
25 generated by the image generation device 1 0 is altered 
or not without significantly enhancing the performance 
of the calculation resource of the image generation de- 
vice 10. 

[0040] In addition, with the image data verification 
30 system according to the first embodiment, it is possible 
to reduce the cost of the image generation device 1 0. 
[0041] In addition, with the image data verification 
system according to the first embodiment, it is possible 
to reliably confirm whether or not the image data in the 
35 image file with primary verification data or the image da- 
ta in the image file with secondary verification data is 
the image data generated in the image generation de- 
vice 10. 

[0042] In addition, with the image data verification 
40 system according to the first embodiment, it is possible 
to operate securely the whole system because the pri- 
mary verification data ensures the security from the im- 
age generation device 10 to the verification data con- 
verting device 20, and the secondary verification data 
45 (that is, digital signature) ensures the security from the 
verification data converting device 20 to the image ver- 
ification device 30. 

[0043] Next, with reference to Fig. 9, a processing 
procedure of the image generation device 1 0 according 
so to the first embodiment will be described. The process- 
ing procedure shown in Fig. 9 is performed according to 
the program stored in the program memory 17. The 
processing procedure shown in Fig. 9 is performed each 
time image one piece of data is obtained. 
55 [0044] Step S91: The image pickup unit 14 generates 
image data of a subject according to an instruction from 
a user. The control/ calculation unit 1 1 creates an image 
file in accordance with a predetermined image file for- 
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mat from the image data generated by the image pickup 
unit 14. 

[0045] Step S92: The control /calculation unit 11 gen- 
erates primary verification data for the image data from 
the generated image data and common information Kc. 
[0046] Step S93: The control / calculation unit 1 1 adds 
the generated primary verification data to the header 
portion of the image file to create an image file with pri- 
mary verification data. In addition to the primary verifi- 
cation data, the control /calculation unit 1 1 adds the spe- 
cific ID information (that is, specific ID) of the image gen- 
eration device 1 0 to the header portion of the image f ile. 
[0047] Step S94: The interface unit 16 transmits the 
image file with primary verification data to the outside. 
[0048] By the processing procedure described above, 
each time one piece of image data is generated, the im- 
age generation device 1 0 can generate the primary ver- 
ification data for the image data and combine the image 
data, the primary verification data and the specific ID of 
the image generation device 10 into one image file. 
[0049] Next, with reference to Fig. 10, a processing 
procedure of the verification data converting device 20 
according to the first embodiment will be described. The 
processing procedure shown in Fig, 1 0 is performed ac- 
cording to the program stored in the program memory 
26. The processing procedure shown in Fig. 10 is per- 
formed each time the image file with primary verification 
data is received, 

[0050] Step S101 : The interface unit 24 receives the 
image file with primary verification data from the outside. 
[0051 ] Step S1 02: The control / calculation unit 21 ex- 
tracts the primary verification data from the header por- 
tion of the image file with primary verification data. 
[0052] StepS103: In addition, the control /calculation 
unit 21 extracts the specific ID of the image generation 
device 1 0 from the header portion of the image file with 
primary verification data and image data from the data 
portion of the same file. The control / calculation unit 21 
detects the shared information Kc and secret informa- 
tion Ks corresponding to the extracted specific ID by re- 
ferring to the table T1 in the program memory 26. The 
control / calculation unit 21 generates the primary veri- 
fication data for the extracted image data from the image 
data and detected shared information Kc. 
[0053] Step S104: The primary verification data ex- 
tracted in step S102 (that is, primary verification data 
generated in the image generation device 10) is com- 
pared with the primary verification data generated in 
step S103 (that is, primary verification data generated 
in the verification data converting device 20) to verify 
the integrity of the image data in the image file. If coin- 
cidence between two pieces of primary verification data 
is detected, the process continues to step S1 05. On the 
other hand, if coincidence between two pieces of prima- 
ry verification data is not detected, the process contin- 
ues to step S106. 

[0054] Step S105: In this case, the control / calcula- 
tion unit 21 determines that the image data is altered 



and informs a user (who takes a picture) via a message 
that the image data is altered. In this case, the image 
generation device 10 inhibits generation of the second- 
ary verification data. 
5 [0055] Step S106: In this case, the control / calcula- 
tion unit 21 generates the secondary verification data 
(that is, digital signature) from the image data in the im- 
age file with primary verification data. 
[0056] Step S1 07: The control /calculation unit 21 re- 
10 places the primary verification data in the header portion 
of the image file with the generated secondary verifica- 
tion data to create the image file with secondary verifi- 
cation data. The created image file with secondary ver- 
ification data is output to a public network such as the 
'5 Internet, or a removable medium (removable storage 
medium) such as a memory card. 
[0057] Through the processing procedure described 
above, the verification data converting device 20 can re- 
liably determine whether the image data generated by 
20 the image generation device 10 is altered or not without 
significantly enhancing the performance of the calcula- 
tion resource of the image generation device 10. In ad- 
dition, the verification data converting device 20 can re- 
liably confirm whether or not the image data in the image 
25 file with primary verification data is the image data gen- 
erated in the image generation device 10. In addition, 
once the integrity of the image file with primary verifica- 
tion data is confirmed, it also can convert the image file 
into the image file with secondary verification data (that 
30 is, image file with a digital signature). 

[0058] Next, with reference to the flowchart in Fig. 11, 
a processing procedure of the image verification device 
30 according to the first embodiment will be described. 
The processing procedure shown in Fig. 11 is performed 
35 according to the program stored in the program memory 
36. The processing procedure shown in Fig. 11 is per- 
formed each time the image file with secondary verifi- 
cation data is received. 

[0059] Step S111 : The interface unit 34 receives the 
40 image file with secondary verification data from the pub- 
lic network such as the Internet, or a removable medium 
(removable storage medium) such as a memory card. 
[0060] Step S112: The image verification device 30 
extracts the specific ID of the image generation device 
45 10 from the header portion of the image file with sec- 
ondary verification data. Furthermore, the image verifi- 
cation device 30 detects the public information Kp cor- 
responding to the extracted specific ID by referring to 
the table T2 in the program memory 36. 
so The public information Kp may be obtained from a pre- 
determined server. 

[0061] StepS113:Thecontrol/calculationunit31 ex- 
tracts the secondary verification data from the header 
portion of the image file with secondary verification data. 
55 [0062] Step S1 14: The control /calculation unit 31 de- 
codes the secondary verification data extracted in step 
S1 13 with the public information Kpto restore the digest 
data (hash value). 
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[0063] Step S1 15: The control /calculation unit 31 ex- 
tracts the image data from the data portion of the image 
file with secondary verification data and converts the ex- 
tracted image data into digest data (hash value) by the 
hash function H2. 

[0064] Step S116: The control / calculation unit 31 
compares the digest data restored in step S1 1 4 with the 
digest data obtained in step S115 to verify the integrity 
and the validity of the image data in the image file with 
secondary verification data. If coincidence between two 
pieces of digest data is detected, the process continues 
to step S1 1 7, On the other hand, if coincidence between 
two pieces of digest data is not detected, the process 
continues to step S118. 

[0065] Step S1 1 7: In this case, the control/calculation 
unit 31 determines that the image data is altered and 
informs a user (verifier) via a message that the image 
data is altered. 

[0066] StepS118: lnthiscase,thecontrol/calculation 
unit 31 determines that the image data is not altered and 
informs a user (verifier) via a message that the image 
data is not altered. 

[0067] Step S119: The control / calculation unit 31 
registers the information including the file name of the 
image file, registration date of the image file, verification 
date of the image file, presence or absence of an alter- 
ation, location of the public information Kp, specific ID 
information of the verification data converting device 20 
into a database in the save memory 35, 
[0068] Through the processing procedure described 
above, the image verification device 30 can reliably de- 
termine whether the image data generated by the image 
generation device 10 is altered or not. In addition, the 
image verification device 30 can reliably confirm wheth- 
er or not the image data in the image file with secondary 
verification data is the image data generated in the im- 
age generation device 10. 

[0069] As described above, with the image data veri- 
fication system according to the first embodiment, it is 
possible to reliably determine whether the image data 
generated by the image generation device 1 0 is altered 
or not without significantly enhancing the performance 
of the calculation resource of the image generation de- 
vice 10. 

(Second embodiment) 

[0070] Now, a preferred second embodiment of the 
present invention will be described with reference to the 
drawings. In the second embodiment, a case where the 
verification data converting device 20 of the first embod- 
iment is constituted by two data processors so that the 
security of the shared information Kc and secret infor- 
mation Ks is improved will be described. 
[0071] First, Fig. 13 is a diagram illustrating an exam- 
ple of a configuration of an image data verification sys- 
tem according to the first embodiment. The configura- 
tion of the image generation device 1 0 and image veri- 



fication device 30, and the process procedure of them 
are the same as in the first embodiment, and therefore, 
description thereof will be omitted. 
[0072] Reference numeral 20A denotes a first verifi- 
5 cation data converting device. Reference numeral 20B 
denotes a second verification data converting device 
that is robuster that the-first verification data converting 
device 20A. The verification data converting device 20A 
transfers the image file with primary verification data ra- 
re ceived from the image generation device 1 0 to the ver- 
ification data converting device 20B and informs a user 
(who takes a picture) of the verification result of the ver- 
ification data converting device 20B. The verification da- 
ta converting device 20B verifies the integrity of the im- 
'5 age data in the image file with primary verification data 
to determine whether the image data is altered or not. 
If the integrity of the image data is confirmed (that is, if 
the image data is not altered), the verification data con- 
verting device 20B generates the secondary verification 
20 data for verifying the integrity and validity of the image 
data (that is, digital signature) and converts the image 
file with primary verification data into the image file with 
secondary verification data. In this regard, the verifica- 
tion data converting device 20A is a computer such as 
25 a personal computer. The verification data converting 
device 20B may be a storage medium with a microproc- 
essor, such as an IC card, or a server computer having 
the verification data converting device 20A as a client 
computer. In the case where the verification data con- 
30 verting device 20A is a client and the verification data 
converting device 20B is a server, the connection be- 
tween these devices may be a network, such as a LAN, 
WAN, or the Internet. 

[0073] The medium connecting the image generation 
35 device 10 and verification data converting device 20A 
may be a transmission medium such as a LAN, 
IEEE1394-1995, or USB (Universal Serial Bus), ora re- 
movable medium (removable storage medium) such as 
a memory card. The medium connecting the verification 
40 data converting device 20A and image verification de- 
vice 30 may be a public network such as the Internet, 
or a removable medium (removable storage medium) 
such as a memory card. 

[0074] Next, a configuration of the verification data 
45 converting device 20A according to the second embod- 
iment will be described. Fig. 1 4 Is a block diagram show- 
ing an essential configuration of the verification data 
converting device 20A according to the second embod- 
iment. In this drawing, each of the blocks represents a 
so component having a specific function. 

[0075] Reference numeral. 1421 denotes a control / 
calculation unit with a working memory and microcom- 
puter. Reference numeral 1423 denotes an interface 
unit A that receives the image file with primary verifica- 
55 tion data from the image generation device 1 0. Refer- 
ence numeral 1424 denotes an interface unit B that 
transmits the image file with primary verification data to 
the verification data converting device 20A and receives 
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the image file with the secondary verification data from 
the verification data converting device 20A. Reference 
numeral 1428 denotes an interface unite that transmits 
the image file with secondary verification data to the im- 
age verification device 30. Reference numeral 1425 de- 
notes a save memory for storing the image file with pri- 
mary verification data and image file with secondary ver- 
ification data. Reference numeral 1426 denotes a pro- 
gram memory. The program memory 1426 stores a pro- 
gram for controlling a function of verifying the integrity 
of the image file with primary verification data. The pro- 
gram memory 1426 may be a ROM or EEPROM. Ref- 
erence numeral 1 427 denotes an operation unit that ac- 
cepts various kinds of instructions from a user. Refer- 
ence numeral 1 422 denotes an output unit that outputs 
a message showing whether or not the image file with 
secondary verification data is altered to an external de- 
vice such as a display unit or printer. 
[0076] Next, a configuration of the verification data 
converting device 20B according to the second embod- 
iment will be described. Fig. 1 5 is a block diagram show- 
ing an essential configuration of the second verification 
data converting device according to the second embod- 
iment, In this drawing, each of the blocks represents a 
component having a specific function. 
[0077] Reference numeral 1521 denotes a control / 
calculation unit with a working memory and microcom- 
puter. Reference numeral 1524 denotes an interface 
unit that receives the image file with primary verification 
data from the verification data converting device 20A 
and transmits the image file with the secondary verifica- 
tion data to the verification data converting device 20A. 
Reference numeral 1525 denotes a save memory for 
storing the image file with primary verification data and 
image file with secondary verification data. Reference 
numeral 1 526 denotes a program memory. The program 
memory 1 526 stores a program for controlling a function 
of generating the image file with secondary verification 
data, Besides, the program memory 1 526 stores a table 
T1 including specific IDs of a plurality of image genera- 
tion devices, a plurality of pieces of common information 
Kc corresponding to the respective specific IDs, each of 
which is equivalent to the decode key of the common 
key cryptography, and a plurality of pieces of secret in- 
formation Ks corresponding to the respective IDs, each 
of which is equivalent to the secret key of the public key 
cryptography. An example of the table T1 is shown in 
Fig. 7A. The program memory 1526 may be a ROM or 
EEPROM. The information stored in the program mem- 
ory 1526, however, should be kept in confidence and 
prevented from being revealed. 
[0078] Next, a processing procedure of the image da- 
ta verification system according to the second embodi- 
ment will be described. Fig. 1 6 is a diagram for illustrat- 
ing the processing procedure of the image data verifi- 
cation system according to the second embodiment; 
[0079] The processing procedure from step S1 601 to 
step S1603 is the same as the processing procedure 



from step S401 to step S403 in the first embodiment, 
and therefore, description thereof will be omitted. 
[0080] Step S1 604: The image generation device 1 0 
transmits the image file with primary verification data to 
s the verification data converting device 20A. 

[0081] Step S1605: The verification data converting 
device 20A transmits the image file with primary verifi- 
cation data to the verification data converting device 
20B. 

10 [0082] Step S1 606: Upon receiving the image file with 
primary verification data, the verification data converting 
device 20B extracts the primary verification data and 
specific ID of the image generation device 10 from the 
header portion of the file and the image data from the 
is data portion of thefile. Furthermore, the verification data 
converting device 20B detects the shared information 
Kc and secret information Ks corresponding to the ex- 
tracted specific ID by referring to the table T1 in the pro- 
gram memory 1526. Tn the case where the specific ID 
20 of the image generation device 10 is "001", for example, 
the shared information Kc corresponding to the specific 
ID is "0x1111", and the secret information Ks corre- 
sponding to the specific ID is "0x2222". The verification 
data converting device 20B generates the primary ver- 
25 ification data for the extracted image data from the ex- 
tracted image data and detected shared information Kc. 
Here, the verification data converting device 20B gen- 
erates the primary verification data in the same manner 
as the image generation device 10. 
30 [0083] Step S1 607: The verification data converting 
device 20B compares the primary verification data ex- 
tracted from the image file with primary verification data 
(that is, primary verification data generated in the image 
generation device 1 0) with the primary verification data 
35 generated in step S1 606 (that is, primary verification da- 
ta generated in the verification data converting device 
20B) to verify the integrity of the image data in the image 
file with primary verification data. If the image data is not 
altered from the transmission by the image generation 
40 device 1 0 u ntil the reception by the verification data con- 
verting device 20B, the two pieces of primary verification 
data coincide with each other. In this case, the verifica- 
tion data converting device 20B can reliably confirm that 
the image data is the image data generated in the image 
45 generation device 10, and that is secured image data 
that has not been altered. Further, in such a case, the 
verification data converting device 20B determines that 
the image data is not altered and begins to generate the 
secondary verification data for the image data. On the 
so other hand, if the image data is altered from the trans- 
mission by the image generation device 10 until the re- 
ception by the verification data converting device 20B, 
the two pieces of primary verification data don't coincide 
with each other. I n such a case, the verification data con- 
55 verting device 20B determines that the image data is 
altered and transmits a message showing that the im- 
age data is altered to the verification data converting de- 
vice 20A. In such a case, the verification data converting 



25 



30 



35 



40 



45 



50 



9 



17 



EP 1 209 847 A1 



18 



device 20B inhibits generation of the secondary verifi- 
cation data for the image data. 
[0084] Step S1 608: In the case where it is determined 
that the image data is not altered, the verification data 
converting device 20B generates the secondary verifi- 
cation data (that is, digital signature) from the image da- 
ta in the image file with primary verification data. The 
verification data converting device 20B generates the 
secondary verification data from the image data accord- 
ing to the method illustrated in Fig. 8. 
[0085] Step S1609: The verification data converting 
device 20B replaces the primary verification data in the 
header portion of the image file with the generated sec- 
ondary verification data to create the image file with sec- 
ondary verification data. The created imagefile with sec- 
ondary verification data is transmitted to the verification 
data converting device 20A, 
[0086] Step S1610: The verification data converting 
device 20A outputs the image file with secondary veri- 
fication data to a public network such as the Internet, or 
a removable medium (removable storage medium) such 
as a memory card. The image verification device 30 re- 
ceives the image file with secondary verification data 
from the public network such as the Internet, or a remov- 
able medium (removable storage medium) such as a 
memory card. 

[0087] Step S1611 : Upon receiving the imagefile with 
secondary verification data, the image verification de- 
vice 30 extracts the secondary verification data and spe- 
cific ID of the image generation device 1 0 from the head- 
er portion of the file. Furthermore, the image verification 
device 30 detects the public information Kp correspond- 
ing to the extracted specific ID by referring to the table 
T2 in the program memory 36, In the case where the 
specific ID of the image generation device 10 is "001", 
for example, the public information Kp corresponding to 
the specific ID is "0x1111", and the secret information 
Ks corresponding to the specific ID is "0x3333". The 
public information Kp may be obtained from a predeter- 
mined server. The image verification device 30 decodes 
the extracted secondary verification data with the public 
information Kp to restore the digest data (hash value). 
Here, the public information Kp corresponds to the se- 
cret information Ks kept in confidence by the verification 
data converting device 20B and is disclosed to the pub- 
lic. 

[0088] Step S1 61 2: In addition, the image verification 
device 30 extracts the image data from the data portion 
of the image file with secondary verification data. 
The image verification device 30 converts the extracted 
image data into digest data (hash value) by the hash 
function H2. This hash function H2 is the same as the 
hash function H2 used in the verification data converting 
device 20B. 

[0089] Step S1 61 3: The image verification device 30 
compares the digest data restored in step S1611 with 
the digest data obtained in step S1612 to verify the in- 
tegrity and validity of the image data in the image file 



with secondary verification data. If the image data is not 
altered from the transmission by the verification data 
converting device 20B until the reception by the image 
verification device 30, the two pieces of digest data co- 
5 incide with each other. In this case, the image verifica- 
tion device 30 can reliably confirm that the image data 
is the image data that is generated in the image gener- 
ation device 10, and that the secondary verification data 
of the image data has been added by the verification 
10 data converting device 20B. In such a case, the image 
verification device 30 determines that the image data is 
not altered and informs a user (verifier) of the determi- 
nation result. On the other hand, if the image data is 
altered from the transmission by the verification data 
15 converting device 20B until the reception by the image 
verification device 30, the two pieces of digest data don't 
coincide with each other. I n such a case, the image ver- 
ification device 30 determines that the image data is al- 
tered and informs the user (verifier) of the determination 
result. 

[0090] Step S1614: Each time an alteration in the im- 
age file with secondary verification data is checked for, 
the image verification device 30 registers the informa- 
tion including the file name of the image file, registration 
date of the image file, verification date of the image file, 
presence or absence of an alteration, location of the 
public information Kp, specific ID information of the ver- 
ification data converting device 20A into a database in 
the save memory 35. The registration of such informa- 
tion into the save memory allows the verifier to manage 
the verified image file with secondary verification data 
to be accomplished. 

[0091] As described above, with the image data veri- 
fication system according to the second embodiment, it 
is possible to reliably determine whether the image data 
generated by the image generation device 1 0 is altered 
or not without significantly enhancing the performance 
of the calculation resource of the image generation de- 
vice 10 as in the first embodiment. In addition, as in the 
first embodiment, with the image data verification sys- 
tem according to the second embodiment, it is possible 
to reduce the cost of the image generation device 10. 
[0092] In addition, with the image data verification 
system according to the second embodiment, it is pos- 
sible to reliably confirm whether or not the image data 
in the image file with primary verification data or the im- 
age data in the image file with secondary verification da- 
ta is the image data generated in the image generation 
device 10. 

[0093] In addition, with the image data verification 
system according to the second embodiment, it is pos- 
sible to operate securely the whole system because the 
primary verification data ensures the security from the 
image generation device 1 0 to the verification data con- 
verting device 20B, and the secondary verification data 
ensures the security from the verification data convert- 
ing device 20B to the image verification device 30. 
[0094] In addition, with the image data verification 
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system according to the second embodiment, the secu- 
rity for the shared information Kc and secret information 
Ks can be enhanced by implementing the verification 
data converting device 20B retaining the shared infor- 
mation Kc and secret information Ks as a data processor 
with higher security such as an IC card or server com- 
puter, rather than a data processor such as a personal 
computer. 

[0095] Next, with reference to Fig. 17, a processing 
procedure of the verification data converting device 20A 
according to the second embodiment will be described. 
The processing procedure shown in Fig. 1 7 is performed 
according to the program in the program memory 1 426. 
The processing procedure shown in Fig. Misperformed 
each time an image file with primary verification data is 
input. 

[0096] Step S1701: The interface unit A 1423 re- 
ceives the image file with primary verification data from 
the image generation device 10. 
[0097] Step S1702: The interface unit B 1424 trans- 
mits the image file with primary verification data to the 
verification data converting device 20B. 
[0098] Step S1 703: If the verification data converting 
device 20B cannot verify the integrity in the image file 
with primary verification data, the process continues to 
step S1704. On the other hand, if the verification data 
converting device 20B can verify the integrity in the im- 
age file with primary verification data, the process con- 
tinues to step S1705. 

[0099] Step S1704: In this case, the interface unit 
B1424 receives the message showing that the image 
data is altered. The control / calculation unit 1 421 trans- 
mits to a user a message showing that the image data 
is altered. 

[0100] Step S1705: In this case, the interface unit B 
1 424 receives the image file with secondary verification 
data. 

[0101] Step S1 706: The interface unit C 1 428 outputs 
the image file with secondary verification data to a public 
network such as the Internet, or a removable medium 
(removable storage medium) such as a memory card. 
[0102] Next, with reference to Fig. 18, a processing 
procedure of the verification data converting device 20B 
according to the second embodiment will be described. 
The processing procedure shown in Fig. 18 is performed 
according to the verification program in the program 
memory 1526. The processing procedure shown in Fig. 
18 is performed each time the image file with primary 
verification data is received, 

[0103] Step S1801 : The interface unit 1524 receives 
the image file with primaryverification data from the ver- 
ification data converting device 20A. 
[0104] Step S1 802: The control / calculation unit 1 521 
extracts the primary verification data from the header 
portion of the image file with primary verification data. 
[0105] Step S1803: In addition, the control / calcula- 
tion unit 1521 extracts the specific ID of the image gen- 
eration device 1 0 from the header portion of the image 



file with primary verification data and image data from 
the data portion of thesame file. The control/calculation 
unit 1521 detects the shared information Kc and secret 
information Ks corresponding to the extracted specific 
s ID by referring to the table T1 in the program memory 
1526, The control /calculation unit 1521 generates the 
primary verification data for the extracted image data 
from the image data and detected shared Information 
Kc. 

10 [0106] StepS1804;Thecontrol/calculationunit1521 
compares the primary verification data extracted in step 
S1802 (that is, primaryverification data generated in the 
image generation device 10) with the primary verifica- 
tion data generated in step S1803 (that is, primary ver- 

'5 ification data generated in the verification data convert- 
ing device 20B) to verify the integrity of the image data 
in the image file with primary verification data. If coinci- 
dence between two pieces of primary verification data 
is detected, the process continues to step 51806. On 

20 the other hand, if coincidence between two pieces of pri- 
mary verification data is not detected, the process con- 
tinues to step S1805. 

[0107] Step S1 805: In this case, the control /calcula- 
tion unit 1521 determines that the image data is altered 
25 and transmits a message showing that the image data 
is altered to the verification data converting device 20A. 
In this case, the verification data converting device 20B 
inhibits generation of the secondary verification data. 
[0108] Step S1 806: In this case, the control /calcula- 
so tion unit 1521 generates the secondary verification data 
(that is, digital signature) from the image data in the im- 
age file with primary verification data. 
[01 09] Step S1 807: The control / calculation un it 1 521 
replaces the primary verification data in the header por- 
35 tion of the image file with the generated secondary ver- 
ification data to create the image file with secondary ver- 
ification data. The created image file with secondary ver- 
ification data is transmitted to the verification data con- 
verting device 20A. 
40 [0110] Through the processing procedure described 
above, the verification data converting device 20B can 
reliably determine whether the image data generated by 
the image generation device 10 is altered or not without 
significantly enhancing the performance of the calcula- 
45 tion resource of the image generation device 10, and 
therefore, the cost of the image generation device 10 
can be reduced. In addition, the verification data con- 
verting device 20B can reliably confirm whether or not 
the image data in the image file with primary verification 
so data is the image data generated in the image genera- 
tion device 10. In addition, once the integrity of the im- 
age file with primaryverification data is confirmed, it also 
can convert the image file into the image file with sec- 
ondary verification data (that is, image file with a digital 
55 signature). 

[0111] The invention may be embodied in other spe- 
cific forms without departing from essential characteris- 
tics thereof. 
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[01 1 2] Therefore, the above-described embodiments 
are merely exemplary of this invention, and are not be 
construed to limit the scope of the present invention. 
[0113] The scope of the present invention is defined 
by the scope of the appended claims, and is not limited 
to only the specific descriptions in this specification . Fur- 
thermore, all the modifications and changes belonging 
to equivalents of the claims are considered to fall within 
the scope of the present invention. 



Claims 

1. An image verification system comprising an image 
generation device and a first image verification de- 
vice, characterized in that 

said image generation device includes: 

image data generation means for generating 
image data; and 

first verification data generation means for gen- 
erating first verification data for said image data 
using first information, and 
said first image verification device includes: 

verification means for verifying whether 
said image data is altered or not by using 
said image data, said first verification data, 
and said first information; and 
second verification data generation means 
for, if said image data is not altered, gener- 
ating second verification data for said im- 
age data by using said image data and sec- 
ond information. 

2. The image verification system according to claim 1 , 
characterized in that said first verification data 
generation means generates said first verification 
data by using a hash function and a predetermined 
calculation. 



6. The image verification system according to any one 
of claims 1 to 5, characterized in that said first in- 
formation is ID information for identifying said image 
generation device. 

5 

7. The image verification system according to any one 
of claims 1 to 6, characterized in that said second 
information is a secret key of a public key cryptog- 
raphy system. 

10 

8. The image verification system according to any one 
of claims 1 to 7, characterized in that said image 
verification system further comprises a second im- 
age verification device, and said second image ver- 

15 ification device includes verification means for ver- 
ifying whether said image data is altered or not by 
using said image data, said second verification da- 
ta, and third information corresponding to said sec- 
ond information. 

20 

9. The image verification system according to claim 8, 
characterized in that said second information is a 
secret key of the public key cryptography system 
and said third information is a public key of the pub- 

25 lie key cryptography system. 

10. The image verification system according to claim 8 
or 9, characterized in that said second image ver- 
ification device is a server computer having said first 

30 image verification device as a client. 

1 1 . The image verification system according to any one 
of claims 1 to 1 0, characterized in that said image 
generation device is an electronic apparatus provid- 

35 ed with an image pickup unit. 

12. The image verification system according to claim 
11, characterized in that said image generation 
device is a digital camera, a digital camcorder, or a 

40 scanner. 



3. The image verification system according to claim 1 
or 2, characterized in that said second verification 
data generation means generates said second ver- 
ification data by using a hash function and a public 45 
key cryptography. 

4. The image verification system according to any one 
of claims 1 to 3, characterized in that, if said image 
data is altered, said second verification data gener- so 
ation means inhibits generation of said second ver- 
ification data. 



13. An image verification system comprising an image 
generation device; a first device; and a second de- 
vice, characterized in that 

said image generation device includes: 

image data generation means for generating 
image data; and 

first verification data generation means for gen- 
erating first verification data for said image data 
using first information, 
said first device includes: 



5. The image verification system according to any one 
of claims 1 to 4, characterized in that said first im- 55 
age verification device comprises a memory storing 
a correspondence relationship between said first in- 
formation and said second information. 



transmission means for transmitting said 
image data and said first verification data 
to said second device, and 
said second device includes: 



12 



23 



EP 1 209 847 A1 



24 



verification means for verifying wheth- 
er said image data is altered or not by 
using said image data, said first verifi- 
cation data, and said first information; 
and 

second verification data generation 
means for, if said image data is not al- 
tered, generating second verification 
data for said image data by using said 
image data and second information. 

14. The image verification system according to claim 
1 3, characterized in that said first verification data 
generation means generates said first verification 
data by using a hash function and a predetermined 
calculation. 

15. The image verification system according to claim 13 
or 14, characterized in that said second verifica- 
tion data generation means generates said second 
verification data by using a hash function and a pub- 
lic key cryptography. 

1 6. The image verification system according to any one 
of claims 13 to 15, characterized in that, if said 
image data is altered, said second verification data 
generation means inhibits generation of said sec- 
ond verification data. 

17. The image verification system according to any one 
of claims 1 3 to 1 6, characterized in that said sec- 
ond device comprises a memory storing a corre- 
spondence relationship between said first informa- 
tion and said second information. 

1 8. The image verification system according to any one 
of claims 13 to 17, characterized in that said first 
information is ID information for identifying said im- 
age generation device. 

19. The image verification system according to any one 
of claims 13 to 18, characterized in that said sec- 
ond information is a secret key of a public key cryp- 
tography system. 

20. The image verification system according to any one 
of claims 13 to 19, characterized in that said sec- 
ond device is an IC card or a storage medium with 
a microprocessor. 

21 . The image verification system according to any one 
of claims 1 3 to 1 9, characterized in that said sec- 
ond device is a server computer having said first 
image verification device as a client. 

22. The image verification system according to any one 
of claims 1 3 to 21 , characterized in that said image 
verification system further comprises an image ver- 



ification device, and said image verification device 
includes verification means for verifying whether 
said image data is altered or not by using said image 
data, said second verification data, and third infor- 
5 mation corresponding to said second information. 

23. The image verification system according to claim 
22, characterized in that said second information 
is a secret key of the public key cryptography sys- 

10 tern and said third information is a public key of the 
public key cryptography system. 

24. The image verification system according to claim 22 
or 23, characterized in that said image verification 

'5 device is a server computer having said first device 
as a client. 

25. The image verification system according to any one 
of claims 1 3 to 24, characterized in that said image 

20 generation device is an electronic apparatus provid- 
ed with an image pickup unit. 

26. The image verification system according to claim 
25, characterized in that said image generation 

zs device is a digital camera, a digital camcorder, or a 
scanner. 

27. An image verification device, characterized by 

comprising: 

30 

verification means for verifying whether image 
data is altered or not by using said image data, 
first verification data for said image data, and 
ID information for identifying an image genera- 
35 tion device that has generated said image data; 

and 

generation means for, if said image data is not 
altered, generating second verification data for 
said image data by using said image data and 
40 second information. 

28. The image verification device according to claim 27, 
characterized in that said generation means gen- 
erates said second verification data by using a hash 

45 function and a public key cryptography. 

29. The image verification device according to claim 27 
or 26, characterized in that said second informa- 
tion is a secret key of a public key cryptography sys- 

so tern. 

30. The image verification device according to any one 
of claims 27 to 29, characterized in that, if said 
image data is altered, said generation means inhib- 

55 its generation of said second verification data. 

31 . The image verification device according to any one 
of claims 27 to 30, characterized in that said first 
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image verification device comprises a memory stor- 
ing a correspondence relationship between said 
first information and said second information. 

32. An image verification method, characterized by s 

comprising: 

a verification step of verifying whether image 
data is altered or not by using said image data, 
first verification data for said image data, and fo 
ID information for identifying an image genera- 
tion device that has generated said image data; 
and 

a generation step of, if said image data is not 
altered, generating second verification data for '5 
said image data by using said image data and 
second information. 

33. The image verification method according to claim 

32, characterized in that in said verification data 20 
generation step, said second verification data is 
generated by using a hash function and a public key 
cryptography. 

34. The image verification method according to claim 25 
32 or 33, characterized in that said second Infor- 
mation is a secret key of a public key cryptography 
system. 

35. The image verification method accordingto anyone so 
of claims 32 to 34, characterized in that, if said 
image data is altered, in said generation step, gen- 
eration of said second verification data is inhibited. 

36. A storage medium storing a program for implement- 35 
ing the image verification method according to any 
one of claims 32 to 35. 
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